Can you pls help out with the vpn design, I have the public on the vpn concentrator 3000 connected to the pix dmz (sec30), inside interface (sec100) connected to Campus and the other end of my vpn concentrator connectted to another interface on the pix with sec 80. Is the design okay and how do i allow ike and ipsec traffic through the the pix to the the concentrator on the pix DMZ.
If the VPN Concentrator is configured with public ip address, then you would need to configure the static NAT to itself as follows:
For example if VPN Concentrator public interface is 188.8.131.52, on the ASA, you would configure:
static (dmz,outside) 184.108.40.206 220.127.116.11 netmask 255.255.255.255
Then you would need to configure ACL on the ASA outside interface to allow the following:
- ESP protocol
The above is the default IPSec ports, however, VPN Concentrator also supports UDP/10000 and TCP/10000, so if you use those ports, you might want to enable those as well.
Then for the clear text traffic from the private interface of the VPN Concentrator towards the inside network, you would also need to configure static statements and ACL to allow those clear traffic after it is being decrypted.
BTW, why don't you just terminate the VPN on the PIX itself?
Just FYI, VPN Concentrator is coming EOL as per the following EOL notification:
Hope that helps.